What type of user access does your application offer (internal, external [Internet-facing], both, or neither)?

 

What is the basic authentication and authorization for the external-facing (Internet) portion of your application? 

 

Are there anonymous users?  

 

Is there a secure channel? What is that channel?

 

 

Data Classification

What type of data is contained in your application?  

 

Does your application contain personal data?

 

How business-sensitive is the data managed by your application?

Functionality

 

What function does your application fulfill? How critical is its role?

Architecture

 

What is the authentication mechanism used by the client population?